CVE-2017-16958

The CVE affects TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices. Affected component is the admin/bridge CGI in uhttpd, where shell metacharacters in the t_bindif field passed via the admin/bridge command to cgi-bin/luci can lead to remote command execution. Root cause is input constructed to trig...

CVE-2017-16959

The CVE-2017-16959 vulnerability affects TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices via the locale feature in cgi-bin/luci. The issue arises from set_sysinfo/get_sysinfo in /usr/lib/lua/luci/controller/locale.lua used by uhttpd, allowing remote authenticated users to probe for existence of a...

CVE-2017-16957

CVE-2017-16957 affects TP-Link TL-WVR, TL-WAR, TL-ER and TL-R devices. A remote authenticated attacker can inject shell metacharacters via the iface field in the admin/diagnostic interface (cgi-bin/luci) that calls zone_get_effect_devices in /usr/lib/lua/luci/controller/admin/diagnostic.lua, trig...

VulnCheck KEV: CVE-2017-16959

The locale feature in cgi-bin/luci on TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allows remote authenticated users to test for the existence of arbitrary files by making an operation=write;locale=%0d request, and then making an operation=read request with a crafted Accept-Language HTTP...